Developer & maintainer of BtleJuice. Having fun with Nordic's nrf51822

Transcription

1 YOU'D BETTER SECURE YOUR BLE DEVICES OR WE'LL KICK YOUR DEF CON 26, Aug. 12th 2018

2 WHO AM I? Head of Econocom Digital Security Studying Bluetooth Low Energy for 3 years Developer & maintainer of BtleJuice Having fun with Nordic's nrf51822

3 BLE sniffing 101 AGENDA Improving the BLE arsenal Sniffing BLE connections in 2018 Introducing BtleJack, a flexible sniffing tool BtleJacking: a brand new attack How it works Vulnerable devices & demos Recommendations

4 BLE SNIFFING 101

5 MUCH CHEAP TOOLS, (NOT) WOW RESULTS Sniffing existing/new connections with an Ubertooth One Sniffing new connections with an Adafruit's Bluefruit LE Sniffer Sniffing BLE packets with gnuradio

6 UBERTOOTH ONE Sniffs existing and new connections Does not support channel map updates Costs $120

7 BLUEFRUIT LE SNIFFER Up-to-date so ware (Nov. 2017) Proprietary firmware from Nordic Semiconductor Sniffs only new connections Costs $30 - $40

8 SOFTWARE DEFINED RADIO Sniffs only BLE advertisements Unable to follow any existing/new connection Latency Requires 2.4GHz compatible SDR device

9 BLE SNIFFING 101 BLE is designed to make sniffing difficult: 3 separate advertising channels Uses Frequency Hopping Spread Spectrum (FHSS) Master or slave can renegotiate some parameters at any time Sniffing BLE connections is either hard or expensive

10 MAN IN THE MIDDLE

11 HOW BLE MITM WORKS Discover the target device (advertisement data, services & characteristics) Connect to this target device, it is not advertising anymore (connected state) Advertise the same device, await connections and forward data

12 BTLEJUICE

13 GATTACKER

14 Pros: Get rid of the 3 advertising channels issue You see every BLE operation performed You may tamper on-the-fly the data sent or received

15 Cons: Complex to setup: 1 VM & 1 Host computer Only capture HCI events, not BLE Link Layer Does not support all types of pairing Only compatible with 4.0 adapters

16 WE ARE DOING IT WRONG! Ubertooth-btle is outdated and does not work with recent BLE stacks Nordic Semiconductor' sniffer is closed source and does not allow active connection sniffing and may be discontinued The MitM approach seems great but too difficult to use and does not intercept link-layer packets

17 IMPROVING THE BLE ARSENAL

18 THE IDEAL TOOL Able to sniff existing and new connections Uses cheap hardware Open-source

19 SNIFFING ACTIVE CONNECTIONS

20 MIKE RYAN'S TECHNIQUE 1. Identify Access Address (32 bits) 2. Recover the CRCInit value used to compute CRC 3. hopinterval = time between two packets / hopincrement = LUT[time between channel 0 & 1]

21 MIKE'S ASSUMPTION (2013) All 37 data channels are used

22 DATA CHANNELS IN 2018 Not all channels are used to improve reliability Some channels are remapped to keep a 37 channels hopping sequence 0, 4, 8, 12, 16, 20, 24, 0, 4, 8, 3, 7, 11, 15, 19, 23, 27, 3, 7, 2, 6, 10, 14, 18, 22, 26, 2, 6, 1, 5, 9, 13, 17, 21, 25, 1, 5 Mike's technique does not work anymore!

23 HOW TO DEDUCE CHANNEL MAP AND HOP INTERVAL Channel map Listen for packets on every possible channels May take until 4 x 37 seconds to determine! Hop interval Find a unique channel Measure time between 2 packets and divide by 37

24 DEDUCE HOP INCREMENT Pick 2 unique channels Generate a lookup table Measure time between two packets on these channels Determine increment value More details in PoC GTFO 0x17

25 SNIFFING NEW CONNECTIONS

26 CONNECT_REQ PDU Every needed information are in this packet Sniffer must listen on the correct channel

27 "INSTANT" MATTERS Defines when a parameter update is effective Used for: Channel map updates Hop interval updates

28 WE DON'T CARE AT ALL

29 WE DON'T CARE AT ALL

30 WE DON'T CARE AT ALL

31 WE DON'T CARE AT ALL

32 WE DON'T CARE AT ALL

33 MULTIPLE SNIFFERS FOR THE ULTIMATE SNIFFING TOOL

34 A BRAND NEW TOOL...

35 ... BASED ON A MICRO:BIT $15

36 BTLEJUICE

37 BTLEJUICEJACKJACK

38 NO LIVE DEMO, I KNOW YOU.

39 SNIFFING A NEW CONNECTION

40 SNIFFING AN EXISTING CONNECTION

41 PCAP EXPORT Supports Nordic and legacy BTLE formats

42 BTLEJACKING A NEW ATTACK ON BLE

43 SUPERVISION TIMEOUT Defined in CONNECT_REQ PDU Defines the time a er which a connection is considered lost if no valid packets Enforced by both Central and Peripheral devices

44

45 SUPERVISION TIMEOUT VS. JAMMING

46 SUPERVISION TIMEOUT VS. JAMMING

47 SUPERVISION TIMEOUT VS. JAMMING

48 SUPERVISION TIMEOUT VS. JAMMING

49 SUPERVISION TIMEOUT VS. JAMMING

50 SUPERVISION TIMEOUT VS. JAMMING

51 SUPERVISION TIMEOUT VS. JAMMING

52 JAMMING FTW

53 BTLEJACKING Abuse BLE supervision timeout to take over a connection BLE versions 4.0, 4.1, 4.2 and 5 are vulnerable Requires proximity (about 5 meters away from target)

54 EXAMPLE OF VULNERABLE DEVICES

55

56

57 SEXTOYS TOO!

58

59

60

61

62 IMPACT Unauthorized access to a device, even if it is already connected Bypass authentication, if authentication is performed at the start of connection Keep the device internal state intact: this may leak valuable information

63 COUNTER-MEASURES Use BLE Secure Connections (see specifications) At least authenticate data at application layer

64 BTLEJACK

65 FEATURES Already established BLE connection sniffing New BLE connection sniffing Selective BLE jamming BLE connection take-over (btlejacking) PCAP export to view dumps in Wireshark Multiple sniffers support

66 CONCLUSION Btlejack is an all-in-one solution for BLE sniffing, jamming and hijacking BLE hijacking works on all versions Insecured BLE connections are prone to sniffing and hijacking It might get worse with further versions of BLE (greater range) Secure your BLE connections FFS (really, do it)

67 THANKS! QUESTIONS?

68 WHY DIDN'T YOU IMPROVE UBERTOOTH-BTLE CODE? I am a lot more familiar with nrf51 SoCs than LPC microcontrollers Buying 3 Ubertooth devices ($360) is not cheap

69 HOW DID YOU MAKE YOUR CLUSTER? From a modified ClusterHat v2 ($30)